BIOS-level rootkit attack scary, but hard to pull off

For the security-conscious, the idea that malware, viruses, and Trojans could …

A pair of Argentinean researchers has demonstrated a BIOS-level exploit that allowed the duo to potentially run a great deal of invisible code—which could remain installed even if the hard drive was wiped. Much has been made of this last bit, but malware attacks against the Basic Input Output System are anything but new.

The CIH (Chernobyl) virus that first appeared in 1998 was capable of bricking a system by rewriting critical boot information in the computer's BIOS with garbage output. Even if you dodged this bullet, CIH's primary payload rewrote the first 1MB of the hard drive. If Chernoybl successfully activated on D-day, the best outcome a user could hope for was an apparently wiped hard drive. At worst, system repair involved physically pulling the BIOS chip and installing another.

The advent of write-protected BIOSes, partly in response to CIH, put a damper on firmware-munching malware, but the inherent attractiveness of the BIOS as an attack vector has never vanished. The exploit demonstrated by Anibal L. Sacco and Alfredo A. Ortega, both of Core Security Technologies, is noteworthy and important, but it's not the game-changer some have made it out to be.

The duo presented the details of their BIOS incursion at ConSecWest last week; their presentation is available here (PDF). I haven't seen the full text of their presentation, but the attack as laid out within the document is quite straightforward and relies on the simple fact that a system BIOS can be flashed (upgraded) with a new version. These new versions are installed through several methods—some motherboard companies have utilities that will flash a BIOS within Windows now—but one commonality is that the BIOS must be switched to write-allow mode before the attack can be executed. The aforementioned attack consists of dumping the new BIOS into flashrom (a BIOS read/write/modify utility), making the necessary changes, adjusting all of the checksums to ensure the hacked BIOS will verify as authentic (the two credit Pinczakko here), and flashing. Voila! One evil BIOS.

Establishing one's secret evil layer in BIOS, as previously mentioned, is a darned good idea. From here, the attacker can theoretically install rootkits, infect any virtual machines running on the main rig, and perform any number of dastardly deeds—all below the OS kernel level. As dangerous of a problem as an attack of this nature presents, however, there's one overriding factor that makes it unlikely that we'll ever see an attack of this sort in the wild. The duo's BIOS hack isn't a bug you can catch by opening the wrong e-mail—it must be installed, either by someone with physical access to the system, or remotely by a person with root-level access.

This is not the sort of exploit that anyone bothers with on a grand scale. Not only is it highly impractical, it's also pointless—why go to so much trouble to infect a PC running at a Ma and Pa store if you can spend a hundredth of a cent and send them an infected e-mail they'll open and run? If an organization is genuinely vulnerable to this type of attack, it means one of two things: Either the business's IT security is absolutely horrible and has failed on multiple levels, or it's an inside job. Either way, a number of gates have been left open to leave a system vulnerable to a BIOS-level assault.

18 Reader Comments

Gotta disagree with your final assessment; the email is what what will eventually give The Bad Guys(tm) root access to do the BIOS Flash as part of it's payload; the payload then guarantees the system can't be easily cleaned.

So you have a rootkit that you can run ONCE through some exploit, and then forever after you own the machine, and it's very difficult to remove (read, near impossible to do it automatically). I expect to see at least a proof of concept for the entire stack before years end, probably before the summers end, and maybe before the summer starts.

I disagree with your final assessment that hackers won't target "mom and pop" outfits. On the contrary, those smaller outfits often rely on outsourced IT that comes in "on call". They are also still businesses that have access to credit systems, etc much easier than any home user does. So, in actuality, it would make a LOT of sense for someone to target these more vulnerable machines and use their own computers after they "shut down" for the night as remote hacking points. They may not have much information themselves, but they are gateways to something bigger.

you mean, the fact that pretty much anyone with physical access to a PC or Admin rights can rootkit it is not a problem.

<tinfoil hat on>

Let's review who may have access to those PCs- the foreigners and national loonies who build your army's and government's PCs- all your greedy and disgruntled IT staff, past, present and future- spies, spouses, mistresses, naughty kids...- anyone with a privilege escalation exploit- big companies that sell you software you have to install as Admin. Not that Sony would ever do that...

Fixing machines bricked by CIH was a pain, but often do-able due to the fairly widespread use of socketed BIOS [E]EPROMS at the time. With more modern circuit construction I wonder whether it will be possible to recover from this sort of intrusion without either a replacement MB or a high-end rework station. From what I can gather on the net even dual-bios designs only use the backup if the working copy fails (typically due to a failed attempt at BIOS upgrade), which a functional hack will of course circumvent.One more step down the 'if it ain't broke, don't fix it, and if it is broke, replace it' road.

This makes me take pause regarding the idea of going to a more standardized "soft BIOS", as having a BIOS that's easy to access, as it would no longer require flashing a ROM chip, with an industry standard structure and interface would make it simple enough just about any programmer could write a BIOS level rootkit. I think that I'd stick with specialized flash-ROM code after all.

I was hit with a bios rootkit 6 years ago.Once it takes over the bios it flashes all firmware divices on your computer.The first is your video card .Once that is done you are screwed.Next your DVD drive,sound card,router,hard drive controller and any other firmware.And dont forget the hard drive.So know matter what you do it will always protect the rootkit and other viruses it runs.Then when you try to remove rootkit or viruses it will use antivirus software to protect itself.At that point keep your tower and power supply and through the rest out or take a sledge hammer to it to get out your frustration.I will never run winXP again.Hackers can get through winXP in a second.After trying to fix my computer off and on for 5 years.3 motherboards.3 video cards,3 harddrives,2 routers.I through everything away and built my new computer with vista 64bitt I have had no problems sice running vista.Vista has that annoying program pop up questionare do you want to run the program.Its the only way to stop rootkits.I could never figure out why I was attacked.But the bios rootkit has been out for at least 6 years.And it is worse than anything you can imagine.I used every tool on the internet and nothing works including rootkit tools.Rootkit tools can tell you its there but cannot remove it.And if you dont replace the whole computer you will be reinfected by any part or router that runs firmware.For all you people that dont think its real.If I remember correctly that was said about viruses when they first came out.Oh Ill never get a virus.Well we have all had viruses and the bios rootkit is out there.All the hacker has to do is get you to restart your computer and you are screwed.Whats so hard about that?I started my computer 1 day and the screen flashed 2 times and my bios updated and I was screwed.So for all you people that dont think its possible.Thing again!

First, check the compatibility of CoreBOOT, as BIOS replacement is is rather limited. As for the flashrom utility, reading the flash chip is trivial, writing to the chip is not. There are write protection mechanisms that prevent just anyone from writing to the flash part. So it is not as trivial as the authors seem to imply.

What strikes me as new in this presentation (as opposed to other stuff I have read), is the authors believe they have stumbled on an easy to patch the assembly code, something that was previously so complicated, it was not worth the effort. The trick here is that they have identified a general purpose piece of code that could be easily located in the assembly and potentially patched regardless of what mainboard the code is from. However, the authors have neglected to mention a few key issues in getting this sort of thing up and running. So I really do not think it is as scary as it sounds (and it sure seems to be written to sound scary).

It is easy to spread fear abut something few people know much about. As I stated above, I wonder what the researcher's goal is because this is a far cry from a rootkit.

This whole problem can be fixed.All manufacturers have to do is put jumpers on all mainboards,video cards and anything that has firmware.If hardware is physically locked.No one can modify anythink.Software can allways be hacked.

It's like nothing you've ever seen - and we have Macintoshes.A fellow researcher has named it, "Subversion Hack".

I've dealt with it since 1994, on a couple of networked 68k Macs, I've been called names, told I was incompetent, by fellow professionals. it's real. And it doesn't give up - I'm sure it's still on all of my machines 68k-PPC, Intel's, Xserve - everything.I have a couple of fellow travelers and we'll soon be writing about it - I'm a few weeks away from launch.But for now, try these:

Nancy: (the site uses the https site version and she's using the sites server’s default certificate, so you'll get a warning.It won't "get you" it's like this:

The flash part typically is already locked. This is done via a register in the chipset that can only be modified under a special set of circumstances. Usally, it cannot be unlocked outside of SMM.

The SMM caching vulnerability is blown out of proportion for a number of reasons, the first being that there is a dedicated, read only MTRR for locating t-seg. The BIOS just needs to be updated. For older machines, there are some things that may be possible. As for writing to the flash, check the specs from TCG. The BIOS can validate itself if given the option, and users demand that functionality.

There are is a host of other problems with trying to hack the BIOS that have been discussed, I see very little that changes why those hacks are not feasible.